The Web Has Taken a Shot to the Heart: What You Can Do About Heartbleed

This week a new vulnerability was announced in OpenSSL, the library used by most computers to encrypt data sent across the internet. CVE-2014-0160, also known as Heartbleed, essentially lets an attacker pull the keys used to encrypt your data directly from the memory of a vulnerable web server, thereby letting him or her read any traffic sent from that server including usernames, passwords, financial information and more.

Important Facts about Heartbleed

While this might seem like something that wouldn’t affect your small website, keep in mind a few facts:

First, the bug was introduced into OpenSSL about two years ago. No one knows for sure how long anyone, including the bad guys, have known about it according to theverge.com.

What You Need To Do About Heartbleed Now

If your website is vulnerable and you’re on shared hosting or a managed server, contact your host right away to make sure they are getting it patched.

If you’re running your own server, patch it immediately. This means making sure you’re using a patched version of OpenSSL. If you’re running an Ubuntu Server you can look here for instructions to upgrade. For CentOS and other Linux distributions, this article offers some help or you will need to contact the distribution vendor for instructions.

Change all SSL certificates you use on your site. You’ll need to request that they be re-issued from the service where you bought them initially. Re-issuing is usually free, but will take a bit of your time.

Change your passwords. Start changing the passwords you use on every site you access. Next time you log in, just make it a point to change it. I recommend using 1Password to help you with this. Not only can it generate a strong password for you, but it can make logging in on any website in the future as simple as a couple of keys. This will let you set a different strong password for every site you use without having to worry about forgetting it.

Comments

I run a managed VPS. I contacted my host yesterday and after they patched my server, I asked them if I needed to get reissued SSL certificates going to a subdomain and for the root VPS login for the server and he said no? Patching the server is all that is needed. From reading your article, I infer that might not be right? In my instance would changing the passwords to those two logins, (I’m the only user) suffice?

The bug worked by allowing the certificates themselves to become compromised. Certificates are made up of two parts, one public and one private (the key). With the key an attacker can simply decrypt and read any traffic received. As this bug allowed the download of the key itself you should change all SSL certificates as well as any passwords for any sites that are or were affected (for the passwords just wait until they patch first).

[…] article I've found that neatly (well as neatly as possible) lays out what you need to do: The Web Has Taken a Shot to the Heart: What You Can Do About Heartbleed. (If you don't want to read the whole thing just skip down to the section "What You Need […]